Welcome to This Week’s [in]Security. PCI 3DS Updates. New breaches: ParkMobile, Codecov, Upstox, ClubHouse. New Ransomware: Follow-ups & Fall-out: Facebook. Breach spin and Greed. Privacy. Laws & Regs: Class Actions, Breach Notification, LEA requests. BYOD. IOT. Defense: Anti-Caller ID Spoofing, Rockets, Code, Coders, Free Course, Cyber Careers, Power Grid, FLoC off, OSCAL. Vulnerabilities: Browser ZeroDays, Faster Bug Disclosure, DNS, NAME:WRECKIoT, Un-awareness, Dependencies, Pwn2Own, Kubernetes, Juniper, Zoom, Crypto. Cybercrime: FBI Patching. Trends. Nation States. Crime. Other Risks. Child Abuse Images. Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants. The Good, Bad, and Ugly (Behaviour). And more.
PCI Compliance and Payments
News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.
Breaches / Ransomware / Leaks
Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.
Articles about privacy related news, risks, and trends.
Laws, Regulations, Platforms, Standards, and Public Policy
News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.
Defense / Techniques / Solutions
Covering developments and opportunities that may help improve security.
- CRTC directs service providers to implement STIR/SHAKEN (Anti-Caller ID spoofing measures), file readiness reports https://mobilesyrup.com/2021/04/08/crtc-service-providers-stir-shaken-implementation/
- Inaugural Space Cybersecurity Symposium: Access for Start-ups Department of Commerce | Department of Homeland Security Wednesday, May 5, 2021 10:00 am – 4:00 pm EDT https://www.nist.gov/news-events/events/2021/05/inaugural-space-cybersecurity-symposium-access-start-up
- Top 20 most popular programming language list (not best or most used) https://www.tiobe.com/tiobe-index/
- Wanted: Software Developers with a Security Mindset https://blog.isc2.org/isc2_blog/2021/04/wanted-software-developers-with-a-security-mindset.html
- Ryerson launches free cybersecurity e-course for SMBs https://www.itworldcanada.com/article/ryerson-launches-free-cybersecurity-e-course-for-smbs/445140
- The VIRTUAL NICE K12 Cybersecurity Education Conference “Broadening the Path to Cybersecurity Careers Through K12 Education” CALL FOR PROPOSALS for opens today, April 13 through June 18, 2021. https://content.govdelivery.com/accounts/USNIST/bulletins/2cbb122
- What are the different roles within cybersecurity? https://thehackernews.com/2021/04/what-are-different-roles-within.html
- Biden Races to Shore Up Power Grid Against Hacks https://threatpost.com/biden-power-grid-hacks/165428/
- HTTPS Everywhere Now Uses DuckDuckGo’s Smarter Encryption https://www.eff.org/deeplinks/2021/04/https-everywhere-now-uses-duckduckgos-smarter-encryption
- Vivaldi, Brave, DuckDuckGo reject Google's FLoC ad tracking tech https://www.bleepingcomputer.com/news/security/vivaldi-brave-duckduckgo-reject-googles-floc-ad-tracking-tech/
- WordPress to automatically disable Google FLoC on websites https://www.bleepingcomputer.com/news/security/wordpress-to-automatically-disable-google-floc-on-websites/
- Why and How You Should be Using an Internal Certificate Authority, (Thu, Apr 15th) https://isc.sans.edu/diary/rss/27314
- Security Assessment Automation Open Security Controls Assessment Language (OSCAL) 1.0.0 Release Candidate 2 (RC2) is open for feedback until May 7, 2021 https://github.com/usnistgov/OSCAL/releases/tag/v1.0.0-rc2 (main page at https://pages.nist.gov/OSCAL/))
- Windows 10 is getting a 'Windows Tools' control panel for power users https://www.bleepingcomputer.com/news/microsoft/windows-10-is-getting-a-windows-tools-control-panel-for-power-users/
Bugs / Design Flaws / Vulnerabilities / Research
Articles about newly discovered vulnerabilities and research.
- Chrome Zero-Day Exploit Posted on Twitter https://threatpost.com/chrome-zero-day-exploit-twitter/165363/
- Google Chrome, Microsoft Edge zero-day vulnerability shared on Twitter https://www.bleepingcomputer.com/news/security/google-chrome-microsoft-edge-zero-day-vulnerability-shared-on-twitter/
- Google Project Zero Cuts Bug Disclosure Timeline to a 30-Day Grace Period https://threatpost.com/google-project-zero-cuts-bug-disclosure-timeline-to-a-30-day-grace-period/165432/
- April 2021 Patch Tuesday – 108 Vulnerabilities, 19 Critical, Adobe https://blog.qualys.com/vulnerabilities-research/2021/04/14/april-2021-patch-tuesday-108-vulnerabilities-19-critical-adobe
- Domain Name Security Neglected by U.S. Energy Companies: Report https://www.securityweek.com/domain-name-security-neglected-us-energy-companies-report
- Major BGP leak disrupts thousands of networks globally https://www.bleepingcomputer.com/news/security/major-bgp-leak-disrupts-thousands-of-networks-globally/
- Microsoft fixes Windows 10 bug that can corrupt NTFS drives https://www.bleepingcomputer.com/news/security/microsoft-fixes-windows-10-bug-that-can-corrupt-ntfs-drives/
- Microsoft Has Busy April Patch Tuesday with Zero-Days, Exchange Fixes https://threatpost.com/microsoft-april-patch-tuesday-zero-days/165393/
- Microsoft Patches 4 Additional Exchange Flaws https://www.databreachtoday.com/microsoft-patches-4-additional-exchange-flaws-a-16396
- NSA Discloses Vulnerabilities in Microsoft Exchange https://www.schneier.com/blog/archives/2021/04/nsa-discloses-vulnerabilities-in-microsoft-exchange.html
- NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html
- NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches https://www.theregister.com/2021/04/13/patch_tuesday_april/
- 100 million more IoT devices are exposed (Name:Wreck) and they won’t be the last https://www.wired.com/story/namewreck-iot-vulnerabilities-tcpip-millions-devices/
- NAME:WRECK DNS vulnerabilities affect over 100 million devices https://www.bleepingcomputer.com/news/security/name-wreck-dns-vulnerabilities-affect-over-100-million-devices/
- NAME:WRECK: Nine DNS Vulnerabilities Found in Four Open Source TCP/IP Stacks https://www.tenable.com/blog/namewreck-nine-dns-vulnerabilities-found-in-four-open-source-tcpip-stacks
- New NAME:WRECK Vulnerabilities Impact Nearly 100 Million IoT Devices https://thehackernews.com/2021/04/new-namewreck-vulnerabilities-impact.html
- Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems https://thehackernews.com/2021/04/severe-bugs-reported-in-ethernetip.html
- 61 percent of employees fail basic cybersecurity quiz https://www.scmagazine.com/home/security-news/61-percent-of-employees-fail-basic-cybersecurity-quiz/
- Azure DevOps Server 2020 Defaults to HTTP and facilitates supply chain attacks https://www.trendmicro.com/en_us/research/21/d/https-over-http-a-supply-chain-attack-on-azure-devops-server-202.html
- Dependency Problems Increase for Open Source Components https://www.darkreading.com/application-security/dependency-problems-increase-for-open-source-components/d/d-id/1340665
- Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021 https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html
- 1-Click Hack Found in Popular Desktop Apps — Check If You're Using Them https://thehackernews.com/2021/04/1-click-hack-found-in-popular-desktop.html
- Security Bug Allows Attackers to Brick Kubernetes Clusters https://threatpost.com/security-bug-brick-kubernetes-clusters/165413/
- Critical Vulnerability Can Allow Attackers to Hijack or Disrupt Juniper Devices https://www.securityweek.com/critical-vulnerability-can-allow-attackers-hijack-or-disrupt-juniper-devices
- Security Analysis of End-to-End Encryption for Zoom Meetings, by Takanori Isobe and Ryoma Ito https://eprint.iacr.org/2021/486
- Cryptanalysis of `MAKE', by Daniel Brown and Neal Koblitz and Jason LeGrow https://eprint.iacr.org/2021/465
- Improving Recent Side-Channel Attacks Against the DES Key Schedule, by Andreas Wiemers and Johannes Mittmann https://eprint.iacr.org/2021/463
Hacking / Malware / Cybercrime / Exploitation
News covering active trends, alerts, events.
FBI patching the Internet:
Trends, Alerts, and Events (other than major breaches):
Nation State Actors:
Crime & Arrests, etc.:
Other Security / Risk
Articles covering other types of risks.
- Automatic gender recognition tech is dangerous, say campaigners: it’s time to ban it https://www.theverge.com/2021/4/14/22381370/automatic-gender-recognition-sexual-orientation-facial-ai-analysis-ban-campaign
- Chip shortage that has caused problems across tech industry could last in 2023, CEOs say https://www.independent.co.uk/life-style/gadgets-and-tech/chip-shortage-2023-intel-ceo-b1832618.html
- DNI’s Annual Threat Assessment https://www.schneier.com/blog/archives/2021/04/dnis-annual-threat-assessment.html
- Dutch supermarkets run out of cheese after ransomware attack https://www.bleepingcomputer.com/news/security/dutch-supermarkets-run-out-of-cheese-after-ransomware-attack/
- Epic’s tool that lets you make realistic digital humans is now in early access https://www.theverge.com/2021/4/14/22382757/epic-games-unreal-engine-metahuman-creator-early-access
- Google Docs went down https://www.zdnet.com/article/google-docs-down/
- Here’s how the FBI managed to get into the San Bernardino shooter’s iPhone https://www.theverge.com/2021/4/14/22383957/fbi-san-bernadino-iphone-hack-shooting-investigation
- Say what? More jargon in a paper means fewer scientists will read it, study finds https://www.cbc.ca/radio/asithappens/as-it-happens-tuesday-edition-1.5985611/say-what-more-jargon-in-a-paper-means-fewer-scientists-will-read-it-study-finds-1.5985613
- Spy agency GCHQ told me Gmail's more secure than Microsoft 365, insists British MP as facepalming security bods tell him to zip it https://www.theregister.com/2021/04/14/tom_tugendhat_email_security_outburst/
- The Threat of Electric Vehicles to the Grid https://vividcomm.com/2021/04/18/the-threat-of-electric-vehicles/
- This Is The Point When People Start Trusting Algorithms More Than Other Humans https://www.sciencealert.com/this-is-when-people-start-to-trust-algorithms-more-than-humans
- Twitter begins analyzing harmful impacts of its algorithms https://www.theverge.com/2021/4/15/22385563/twitter-algorithms-machine-learning-bias
- Stories of child abuse images in the blockchain go back years. In this update last month, Blockchain Sleuth Says OKEx, Huobi Stonewalled Him in Child Porn Investigation https://www.coindesk.com/cipherblade-okex-huobi-csem-morphtoken
- We haven’t confirmed these posts but, if accurate, it raises a number of legal, ethical, and risk issues for Image Search Providers and Canada Child Protection – https://linustechtips.com/topic/1322512-canada-child-protect-caught-spreading-child-porn-using-aws-services/, https://varishangout.com/index.php?threads/canadian-centre-for-child-protection-uploading-and-self-reporting-cp-on-saucenao.259/
Health, Safety & Environment:
Student's heart failure linked to 'excessive' energy drinks https://www.bbc.co.uk/news/newsbeat-56747731
- How product placements may soon be added to classic films https://www.bbc.co.uk/news/business-56758376
- Reuters finally decides to charge you for its online news stories with a paywall https://www.theverge.com/2021/4/15/22386037/reuters-paywall-online-news-content-publishers
COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.
The spread, curves, spikes, waves, reinfection, and variant strains:
Guidance, Response, and Recovery:
Treatments, Testing, Triage, Trials, and things we Learned:
More of the good, the bad, and the ugly:
Off-Topic / Science & Tech / Lighter Side
A variety of scientific, technical, historical, and more light-hearted news.